From: Dan Carpenter <dan.carpenter@oracle.com>
To: bgrove@attotech.com
Cc: linux-scsi@vger.kernel.org
Subject: re: [SCSI] esas2r: ATTO Technology ExpressSAS 6G SAS/SATA RAID Adapter Driver
Date: Thu, 18 Sep 2014 17:23:09 +0300 [thread overview]
Message-ID: <20140918142309.GA20848@mwanda> (raw)
Hello Bradley Grove,
The patch 26780d9e12ed: "[SCSI] esas2r: ATTO Technology ExpressSAS 6G
SAS/SATA RAID Adapter Driver" from Aug 23, 2013, leads to the
following static checker warning:
drivers/scsi/esas2r/esas2r_ioctl.c:1902 esas2r_read_vda()
error: 'count' from user is not capped properly
drivers/scsi/esas2r/esas2r_ioctl.c
1892
1893 if (off > VDA_MAX_BUFFER_SIZE)
1894 return 0;
1895
1896 if (count + off > VDA_MAX_BUFFER_SIZE)
^^^^^
"count" is a user controlled int. Let's assume we're on a 32 system for
simplicity. If count is a high positive number here, then count + off
is negative and thus less than VDA_MAX_BUFFER_SIZE.
1897 count = VDA_MAX_BUFFER_SIZE - off;
1898
1899 if (count < 0)
1900 return 0;
1901
1902 memcpy(buf, a->vda_buffer + off, count);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Memory corruption.
1903
1904 return count;
1905 }
"count" comes from the ioctl. Let's look at that:
drivers/scsi/esas2r/esas2r_ioctl.c
1476 case EXPRESS_IOCTL_VDA:
1477 err = esas2r_write_vda(a,
1478 (char *)&ioctl->data.ioctl_vda,
1479 0,
1480 sizeof(struct atto_ioctl_vda) +
1481 ioctl->data.ioctl_vda.data_length);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
1482
1483 if (err >= 0) {
1484 err = esas2r_read_vda(a,
1485 (char *)&ioctl->data.ioctl_vda,
1486 0,
1487 sizeof(struct atto_ioctl_vda) +
1488 ioctl->data.ioctl_vda.data_length);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
These additions have integer overflow bugs. It seems harmless to me,
but hopefully static checkers will eventually start complaining about
them.
1489 }
1490
1491
1492
1493
1494 break;
regards,
dan carpenter
next reply other threads:[~2014-09-18 14:24 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-18 14:23 Dan Carpenter [this message]
-- strict thread matches above, loose matches on Subject: below --
2020-04-10 14:09 [SCSI] esas2r: ATTO Technology ExpressSAS 6G SAS/SATA RAID Adapter Driver Colin Ian King
[not found] <20130903233716.5333B660D6B@gitolite.kernel.org>
2013-09-04 23:27 ` Dave Jones
2013-08-29 8:46 Dan Carpenter
2013-08-29 8:45 Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140918142309.GA20848@mwanda \
--to=dan.carpenter@oracle.com \
--cc=bgrove@attotech.com \
--cc=linux-scsi@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).